(Ping! Zine Issue 60) – Network administrators have known for a long time that firewalls and intrusion prevention systems (IPS) aren’t enough to stop today’s sophisticated network attacks. In fact, studies have shown that in 32 percent of distributed denial-of-service (DDoS) attacks, the firewall or the IPS became the bottleneck that slowed network performance to a crawl.
To combat new threats, enterprises are working to create better network and mobile device management security solutions that provide a more integrated approach to security. Within this framework, many research organizations are recommending a transition that incorporates context-aware security.
Why Firewalls Aren’t Getting the Job Done
Unfortunately, the vast majority of successful attacks are client-side; in other words, an end user runs something that he or she shouldn’t. In these cases, a firewall designed to prevent external attacks doesn’t help at all. Also, most applications that are developed today work over ports 80 and 443, which can’t be blocked.
Additionally, most firewall policies are poorly maintained. Most don’t have up-to-date firmware, and because firewalls can often disrupt many legitimate operations, most of them have been opened and not reconfigured. An average firewall can produce thousands of warnings per hour, and no admin has time to review logs at that volume.
Firewalls and IPSs will be components of a security system as long as desktop and laptop computers are being used. However, as the world becomes more mobile, PCs are giving way to tablets, smartphones and other devices such as computer-enabled televisions. These devices won’t use firewalls because end users don’t have the skills to configure them. Also, perimeter firewalls around a network have little value when the network is being accessed by a large number of infected mobile devices.
Context-Aware Security: Clearing the Noise
When applying context-aware security, network administrators consider contextual information in making security decisions. When information from a certain source tries to access the network, the attempt occurs in a certain context, such as time of day and location. The attempt at access also considers the identity and reputation of the source. In other words, instead of trying to go through every log generated by a firewall, context-aware security filters the information and allows admins to pinpoint the sources of attacks based on context.
Through context-aware analysis, admins can develop risk management policies. Characteristics like network topology, the business value of an asset under attack or the current policies around firewalls can help organizations choose which high-risk or high-value systems to shut down or protect in the event of an attack. Solutions like security event information management (SEIM) systems can build context-aware security by helping to monitor the millions of log records and messages that security edge devices can generate. They can also be integral when a company wants to prosecute the perpetrator of an attack.
Implementing Context-Aware Security
An effective context-aware security policy starts with an effective risk assessment. As organizations transition to the cloud to store huge amounts of data, they trade some security for increased storage space, better access and lower capital expenses. Some types of data need more protection than others, so having a baseline contextual knowledge of how, when, where and who accesses the data will help to identify attacks or unauthorized access before it gets underway.
For starters, data should be classified according to sensitivity. Then, the identity and access management infrastructure needs to be made context-aware. Location awareness, for instance, could involve using GPS to locate a user of an edge device. Federated identity management, device certificates, mobile device management and network access control can also be parts of an integrated, context-aware security solution offering different levels of protection depending on the sensitivity of data.
Admins also need clear visibility on what network users are doing. Users, their devices, data and applications on the network provide the context for an enterprise’s security policies. Once admins know the typical patterns that an enterprise experiences, they can recognize attacks in their early stages. For instance, when a computer is trying to connect itself to a large number of servers at an unusual time of day, admins can recognize that a potential attack is underway.
Not every attack can be prevented, but enterprises can no longer assume that a one-size-fits-all solution is going to prevent every attack. An understanding of how the network should look on a normal day and applying that knowledge to create effective security policies is the heart of the context-aware security approach.